ABSTRACT
Protected module architectures such as Intel SGX hold the promise of protecting sensitive computations from a potentially compromised operating system. Recent research convincingly demonstrated, however, that SGX's strengthened adversary model also gives rise to to a new class of powerful, low-noise side-channel attacks leveraging first-rate control over hardware. These attacks commonly rely on frequent enclave preemptions to obtain fine-grained side-channel observations. A maximal temporal resolution is achieved when the victim state is measured after every instruction. Current state-of-the-art enclave execution control schemes, however, do not generally achieve such instruction-level granularity.
This paper presents SGX-Step, an open-source Linux kernel framework that allows an untrusted host process to configure APIC timer interrupts and track page table entries directly from user space. We contribute and evaluate an improved approach to single-step enclaved execution at instruction-level granularity, and we show how SGX-Step enables several new or improved attacks. Finally, we discuss its implications for the design of effective defense mechanisms.
References
- Ferdinand Brasser, Urs Müller, Alexandra Dmitrienko, Kari Kostiainen, Srdjan Capkun, and Ahmad-Reza Sadeghi. 2017. Software grand exposure: SGX cache attacks are practical. In 11th USENIX Workshop on Offensive Technologies (WOOT '17). USENIX Association. Google Scholar
Digital Library
- Sanchuan Chen, Xiaokuan Zhang, Michael K Reiter, and Yinqian Zhang. 2017. Detecting privileged side-channel attacks in shielded execution with Déjà Vu. In Proceedings of the 2017 Asia Conference on Computer and Communications Security (Asia CCS '17). ACM, 7--18. Google Scholar
Digital Library
- Victor Costan, Ilia Lebedev, and Srinivas Devadas. 2016. Sanctum: Minimal hardware extensions for strong software isolation. In Proceedings of the 25th USENIX Security Symposium. USENIX Association.Google Scholar
- Marcus Hähnel, Weidong Cui, and Marcus Peinado. 2017. High-resolution side channels for untrusted operating systems. In 2017 USENIX Annual Technical Conference (ATC '17). USENIX Association. Google Scholar
Digital Library
- Intel Corporation. 2016. Intel 64 and IA-32 architectures optimization reference manual. Reference no. 248966-033.Google Scholar
- Intel Corporation. 2017. Intel 64 and IA-32 architectures software developer's manual. Reference no. 325462-062US.Google Scholar
- Intel Corporation. 2017. Intel software guard extensions developer guide. software.intel.com/en-us/documentation/sgx-developer-guide.Google Scholar
- Sangho Lee, Ming-Wei Shih, Prasun Gera, Taesoo Kim, Hyesoon Kim, and Marcus Peinado. 2017. Inferring fine-grained control flow inside SGX enclaves with branch shadowing. In Proceedings of the 26th USENIX Security Symposium. USENIX Association.Google Scholar
- P. Maene, J. Götzfried, R. de Clercq, T. Müller, F. Freiling, and I. Verbauwhede. 2017. Hardware-based trusted computing architectures for isolation and attestation. IEEE Trans. Comput. 99 (2017).Google Scholar
- Ahmad Moghimi, Gorka Irazoqui, and Thomas Eisenbarth. 2017. CacheZoom: How SGX amplifies the power of cache attacks. In Conference on Cryptographic Hardware and Embedded Systems (CHES '17).Google Scholar
Cross Ref
- Michael Schwarz, Samuel Weiser, Daniel Gruss, Clémentine Maurice, and Stefan Mangard. 2017. Malware guard extension: Using SGX to conceal cache attacks. In Detection of Intrusions and Malware, and Vulnerability Assessment (DIMVA '17).Google Scholar
- Ming-Wei Shih, Sangho Lee, Taesoo Kim, and Marcus Peinado. 2017. T-SGX: Eradicating controlled-channel attacks against enclave programs. In Proceedings of the 2017 Annual Network and Distributed System Security Symposium (NDSS). San Diego, CA.Google Scholar
Cross Ref
- Jo Van Bulck, Nico Weichbrodt, Rüdiger Kapitza, Frank Piessens, and Raoul Strackx. 2017. Telling your secrets without page faults: Stealthy page table-based attacks on enclaved execution. In Proceedings of the 26th USENIX Security Symposium. USENIX Association.Google Scholar
Digital Library
- Nico Weichbrodt, Anil Kurmus, Peter Pietzuch, and Rüdiger Kapitza. 2016. AsyncShock: exploiting synchronisation bugs in Intel SGX enclaves. In European Symposium on Research in Computer Security (ESORICS '16). Springer.Google Scholar
Cross Ref
- Yuanzhong Xu, Weidong Cui, and Marcus Peinado. 2015. Controlled-channel attacks: Deterministic side channels for untrusted operating systems. In IEEE Symposium on Security and Privacy. IEEE, 640--656. Google Scholar
Digital Library
Index Terms
SGX-Step: A Practical Attack Framework for Precise Enclave Execution Control





Comments